Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page Overclick.cn Spyware
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
 
LinkBack Thread Tools
Old 06-27-2009, 07:45 PM   #1 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 5
OS: XP


Overclick.cn Spyware
Oh lord, this thing is nasty.

I'm pretty sure I have the same thing as this guy:

small worsening virus problem - spyware

When I click on a link, instead of taking me to the website, it takes me to some poorly-designed ad websites. Do people actually sell products doing stuff like this? The redirect link "overclick.cn" seems to be a recurring theme.

I've run (in this order):

Spybot
Malwarebytes
Hijack this
Combofix

I really need some help.

I've been lurking desperately around these forums for the past three hours to no avail. Here's the log from Combofix:

ComboFix 09-06-26.02 - Compaq_Owner 06/27/2009 20:10.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.152 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Music\100th Window (2003)\_desktop.ini
c:\documents and settings\Compaq_Owner\nah_log.dat
D:\Autorun.inf
D:\Desktop.ini

Infected copy of c:\windows\system32\winlogon.exe was found and disinfected
Restored copy from - c:\windows\ServicePackFiles\i386\winlogon.exe

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-28 )))))))))))))))))))))))))))))))
.

2009-06-27 17:44 . 2009-06-28 01:09 272 ----a-w- c:\windows\system32\msorcn2r.dat
2009-06-27 17:44 . 2009-06-28 01:09 272 ----a-w- c:\windows\system32\csseqcak.dat
2009-06-27 17:44 . 2009-06-28 01:07 0 ----a-w- c:\windows\system32\LAPRXR.dat
2009-06-26 22:55 . 2009-06-28 01:21 7036 ----a-w- c:\windows\system32\compacui.dat
2009-06-26 22:55 . 2009-06-28 01:21 616 ----a-w- c:\windows\system32\stobjuct.dat
2009-06-26 22:55 . 2009-06-28 01:21 0 ----a-w- c:\windows\system32\napipyec.dat
2009-06-26 22:55 . 2009-06-28 00:50 396 ----a-w- c:\windows\system32\msxmwrv.dat
2009-06-21 03:49 . 2009-06-21 04:55 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-28 00:11 . 2009-02-27 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 20:41 . 2008-08-14 18:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-27 06:18 . 2007-04-06 09:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-17 16:27 . 2009-02-27 23:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-02-27 23:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 00:01 . 2008-06-14 17:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 04:46 . 2008-01-10 17:22 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-05-19 04:46 . 2008-01-10 17:22 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2009-05-19 04:45 . 2009-05-19 04:45 -------- d-----w- c:\program files\foobar2000
2009-05-19 04:45 . 2008-01-10 17:22 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstFoo3\unins000.exe
2009-05-19 04:45 . 2007-04-18 18:45 -------- d-----w- c:\program files\Last.fm
2009-05-17 18:54 . 2007-03-29 02:54 16344 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-05-14 22:36 . 2007-12-27 19:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\uTorrent
.

------- Sigcheck -------

[7] 2004-08-04 04:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 04:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[7] 2004-08-04 04:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[7] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
[7] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
[7] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[7] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[7] 2008-10-16 10:20 667648 93C9D0A216498EE14EB9B26119BB95EE c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2004-08-04 04:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912945$\wininet.dll
[-] 2006-01-09 18:02 662016 DDE9597A3311748C1519444E2BC147BD c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$NtUninstallKB947864$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\$NtUninstallKB950759_0$\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$NtUninstallKB953838$\wininet.dll
[7] 2008-04-21 06:56 666624 2E7DE1BF9418B071799EB53DE8CC22F5 c:\windows\$NtUninstallKB953838_0$\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$NtUninstallKB956390$\wininet.dll
[7] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\$NtUninstallKB956390_0$\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$NtUninstallKB958215$\wininet.dll
[7] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$NtUninstallKB958215_0$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\system32\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\system32\dllcache\wininet.dll

[-] 2005-03-14 01:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-03-14 00:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 04:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\winlogon.exe

[7] 2004-08-04 04:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 04:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 11:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 12:55 2057600 1D659BFB788ED2BA45075624B748D249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 04:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 14:17 2180352 8F0DEAB1F81FB83F9C5995853CE48B9F c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 04:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2004-08-04 04:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\system32\services.exe

[7] 2004-08-04 04:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[7] 2004-08-04 04:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 04:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-04 04:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[7] 2004-08-04 04:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2009-03-14 17:26 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 04:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\system32\kernel32.dll

[7] 2004-08-04 04:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[7] 2004-08-04 04:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[7] 2004-08-04 04:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll


[7] 2004-08-04 04:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\msxmwrv]
@="{0F84B84C-B3F8-A9F3-65A9-1B98D1A26C3E}"
[HKEY_CLASSES_ROOT\CLSID\{0F84B84C-B3F8-A9F3-65A9-1B98D1A26C3E}]
2004-08-04 04:00 131072 ----a-w- c:\windows\system32\msxmwrv.ocx

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"mount.exe"="c:\program files\GiPo@Utilities\FileUtilities.3\mount.exe" [2008-04-11 374272]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 68856]
"AdobeUpdater"="c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe" [2008-11-28 2356088]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2007-8-5 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2007-3-27 36903]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-2-2 884838]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoChangeAnimation"= 0 (0x0)
"NoThumbnailCache"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= QQ.exe
"2"= QQexternal.exe
"3"= QQGame.exe
"4"= QQPetDazzle.exe

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 totalio;TotalIO;c:\windows\system32\drivers\totalio.sys [12/22/2007 3:09 PM 2358]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/3/2008 2:09 PM 17149]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2/2/2009 9:00 PM 362944]
S3 SQTECH9090;TOP Cam;c:\windows\system32\drivers\Capt9090.sys [1/25/2009 2:39 AM 48384]
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 21:42]

2009-06-28 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-28 02:57]
.
- - - - ORPHANS REMOVED - - - -

HKLM-Run-SQ916D - c:\program files\SQ916D\916D.exe


.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2dlck6br.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-27 20:21
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


c:\windows\system32\drivers\hjgruiesbapfdi.sys 69632 bytes executable
c:\windows\system32\hjgruifasrfwko.dat 93 bytes
c:\windows\system32\hjgruikbymytiq.dll 18944 bytes executable
c:\windows\system32\hjgruimqreaked.dat 11428 bytes
c:\windows\system32\hjgruiutbdervy.dll 44032 bytes executable

scan completed successfully
hidden files: 5

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\hjgruifvspulqi]
"imagepath"="\systemroot\system32\drivers\hjgruiesbapfdi.sys"
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(4124)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-06-28 20:29 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-28 01:29

Pre-Run: 46,612,422,656 bytes free
Post-Run: 46,614,319,104 bytes free

317 --- E O F --- 2009-03-14 08:01
Mechrobioticon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 06-27-2009, 09:32 PM   #2 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,469
OS: Vista, Linux Mint


Re: Overclick.cn Spyware
hi.

Seems you already ran Combofix.

Quote:
Originally Posted by Ried View Post
Why we don't ask you to run ComboFix from the onset

As stated by the author of ComboFix:

ComboFix is a very powerful tool which when improperly used may render your machine to a doorstop.

We first need to verify if there's any rootkits present and how they could affect our tools. DDS & GMER are preliminary scans. We use their logs to map our strategy for attack.

With these logs we can determine the infections present & decide whether to deploy ComboFix.

We need to have gmer log first before we start fixing your
computer. Something must be stopping gmer to complete its scans.

If you have the gmer.exe now, delete it please.

Redownload GMER from here:
http://www.gmer.net/files.php

Unzip it to the desktop.

---------------------------------
Open Notepad and copy/paste the contents in the code box below, into Notepad.
Code:
@copy /y gmer.exe gamer.exe
@Start gamer.exe -protect
Save this as bio.bat Choose to "Save type as - All Files"

It should look like this:

Place the batch next to gmer & double click bio.bat to launch it.

--------------------------------------------------------------------------


When the program opens and click on the Rootkit tab.
Make sure all the boxes on the right of the screen are checked, EXCEPT for 'Show All'.
Click on Scan.
Once done click on the [Save..] button, and in the File name area, type in "ark.txt" or it will save as a .log file which cannot be uploaded to your post.
Save it where you can easily find it, such as your desktop.
Attach that ARK.txt in your next reply.

**Caution**
Rootkit scans often produce false positives. Do NOT take any action on any "<--- ROOKIT" entries

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-28-2009, 08:29 AM   #3 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 5
OS: XP


Re: Overclick.cn Spyware
Wow that was fast.

Thank you. Seriously.

Anyway, here's the ark.txt:

GMER 1.0.15.14972 - http://www.gmer.net
Rootkit scan 2009-06-28 09:24:23
Windows 5.1.2600 Service Pack 3


---- System - GMER 1.0.15 ----

Code 84C95120 ZwEnumerateKey
Code 84C98120 ZwFlushInstructionCache
Code 84C8711E IofCallDriver
Code 84C6916E IofCompleteRequest

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!IofCallDriver 804EE130 5 Bytes JMP 84C87123
.text ntkrnlpa.exe!IofCompleteRequest 804EE1C0 5 Bytes JMP 84C69173
PAGE ntkrnlpa.exe!ZwFlushInstructionCache 805ABEC4 5 Bytes JMP 84C98124
PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB70 5 Bytes JMP 84C95124

---- User code sections - GMER 1.0.15 ----

.text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0062000A
.text C:\Program Files\iPod\bin\iPodService.exe[688] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0070000A
.text C:\WINDOWS\system32\services.exe[696] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 003A000A
.text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0065000A
.text C:\WINDOWS\system32\Ati2evxx.exe[888] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 0096000A
.text ...

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [ole32.dll!CoCreateInstance] 7FEF2B60
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\Explorer.EXE [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!OpenFile] 7FEF2272
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\Secur32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 7FEF200D
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 7FEF1F91
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 7FEF1F0F
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 7FEF200D
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WS2_32.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\iphlpapi.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\System32\SAMLIB.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\WINDOWS\Explorer.EXE[1380] @ C:\WINDOWS\system32\PSAPI.DLL [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHELL32.dll [USER32.dll!GetClipboardData] 7FEF200D
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!OpenFile] 7FEF2272
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\RPCRT4.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\Secur32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\GDI32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageA] 7FEF1F91
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageA] 7FEF1F0F
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\SHLWAPI.dll [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetClipboardData] 7FEF200D
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!GetMessageW] 7FEF1FCF
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!PeekMessageW] 7FEF1F50
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WS2_32.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WININET.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExA] 7FEF2050
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\CRYPT32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileA] 7FEF21C7
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\NETAPI32.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\NETAPI32.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!RegSetValueExW] 7FEF20AA
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryW] 7FEF2AA8
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!CreateFileW] 7FEF21F0
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] 7FEF229E
IAT C:\Program Files\Last.fm\LastFM.exe[3112] @ C:\WINDOWS\system32\USERENV.dll [KERNEL32.dll!LoadLibraryA] 7FEF29F0
---- Processes - GMER 1.0.15 ----

Library C:\Program (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1380] 0x02CB0000

---- EOF - GMER 1.0.15 ----
Mechrobioticon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-28-2009, 08:58 AM   #4 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,469
OS: Vista, Linux Mint


Re: Overclick.cn Spyware
hi.

Lets continue;

I am sorry to inform you that one or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and download and execute files.

If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

------------------------------------------------------------------------

Before beginning the fix, read this post completely. If there's anything that you do not understand, kindly ask your questions before proceeding. Ensure that there aren't any opened browsers when you are carrying out the procedures below. Save the following instructions in Notepad as this webpage would not be available when you're carrying out the fix.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

----------------------------------------------------------------------------------------------------------

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. You can find instructions HERE.

3. Open notepad and copy/paste the text in the quotebox below into it:

Quote:
http://www.techsupportforum.com/security-center/virus-trojan-spyware-help/389682-overclick-cn-spyware.html#post2212234

COLLECT::
c:\windows\system32\drivers\hjgruiesbapfdi.sys
c:\windows\system32\hjgruifasrfwko.dat
c:\windows\system32\hjgruikbymytiq.dll
c:\windows\system32\hjgruimqreaked.dat
c:\windows\system32\hjgruiutbdervy.dll

DRIVER::
hjgruifvspulqi
Save this as CFScript.txt, in the same location as ComboFix.exe




Refering to the picture above, drag CFScript into ComboFix.exe

When finished, it shall produce a log for you at C:\ComboFix.txt which I will require in your next reply.


**Note**

When CF finishes running, the ComboFix log will open along with a message box--do not be alarmed. With the above script, ComboFix will capture files to submit for analysis.
  • Ensure you are connected to the internet and click OK on the message box.
If you do not get a message box, please do the following:

There should be a file named [4]-Submit_date@time.zip with today's date, located here:

C:\QooBox\Quarantine\[4]-Submit_date@time.zip

Using the 'Browse' button, please submit it to this site ==> http://www.bleepingcomputer.com/subm....php?channel=4

Please let me know if you successfully submitted the file. Thanks.

-------------------------------------------------------------------------
Please go to: VirusTotal
  • On the page you'll find a Browse button.
  • Next to the Browse button you'll see a box to enter text.
  • Please copy/paste the following bolded text into the box:

    c:\windows\system32\stobjuct.dat

  • Then click the Send File button just below.
  • This will scan the file. Please be patient.
  • If you get a message saying File has already been analysed: click Reanalyse file now
  • Once scanned, copy and paste the results in your next reply.
  • Please repeat for the following files:

    • c:\windows\system32\msorcn2r.dat

-------------------------------------------------------------------------

Please attach this one in your next reply.

C:\QooBox\Add-Remove Programs.txt



In your reply, please post

C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt <--attached
Virustotal report <--attached


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
Last edited by mas_pogi; 06-28-2009 at 09:01 AM.
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-29-2009, 12:47 AM   #5 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 5
OS: XP


Re: Overclick.cn Spyware
Wow that does suck.

I guess I'm lucky. I don't use this computer for financial transactions, and as a matter of policy I don't own a credit card. I think that trojan was the thing that was hijacking my gmail for spamming people. I deleted that account, and I thought I got it with Malwarebytes.

Guess I was wrong, huh?

Anyway, again, thank you for being so speedy.

OK, I submitted [4]-Submit_2009-06-29_01.07.28 with this topic's address.

Here's the ComboFix log:

ComboFix 09-06-28.02 - Compaq_Owner 06/29/2009 1:08.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.446.222 [GMT -5:00]
Running from: c:\documents and settings\Compaq_Owner\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Compaq_Owner\Desktop\CFScript.txt
FW: Norton Internet Worm Protection *disabled* {990F9400-4CEE-43EA-A83A-D013ADD8EA6E}

file zipped: c:\windows\system32\drivers\hjgruiesbapfdi.sys
file zipped: c:\windows\system32\hjgruifasrfwko.dat
file zipped: c:\windows\system32\hjgruikbymytiq.dll
file zipped: c:\windows\system32\hjgruimqreaked.dat
file zipped: c:\windows\system32\hjgruiutbdervy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\docume~1\COMPAQ~1\LOCALS~1\Temp\IadHide5.dll
c:\documents and settings\Compaq_Owner\Local Settings\temp\IadHide5.dll
c:\windows\system32\drivers\hjgruiesbapfdi.sys
c:\windows\system32\hjgruifasrfwko.dat
c:\windows\system32\hjgruikbymytiq.dll
c:\windows\system32\hjgruimqreaked.dat
c:\windows\system32\hjgruiutbdervy.dll

.
((((((((((((((((((((((((( Files Created from 2009-05-28 to 2009-06-29 )))))))))))))))))))))))))))))))
.

2009-06-28 05:05 . 2009-06-28 05:05 -------- d-----w- C:\!KillBox
2009-06-28 01:35 . 2009-03-06 14:22 284160 ------w- c:\windows\system32\dllcache\pdh.dll
2009-06-28 01:35 . 2009-02-09 12:10 473600 ------w- c:\windows\system32\dllcache\fastprox.dll
2009-06-28 01:35 . 2009-02-09 12:10 453120 ------w- c:\windows\system32\dllcache\wmiprvsd.dll
2009-06-28 01:35 . 2009-02-09 12:10 401408 ------w- c:\windows\system32\dllcache\rpcss.dll
2009-06-28 01:35 . 2009-02-06 11:11 110592 ------w- c:\windows\system32\dllcache\services.exe
2009-06-28 01:35 . 2009-02-06 10:10 227840 ------w- c:\windows\system32\dllcache\wmiprvse.exe
2009-06-28 01:35 . 2009-02-09 12:10 729088 ------w- c:\windows\system32\dllcache\lsasrv.dll
2009-06-28 01:35 . 2009-02-09 12:10 714752 ------w- c:\windows\system32\dllcache\ntdll.dll
2009-06-28 01:35 . 2009-02-09 12:10 617472 ------w- c:\windows\system32\dllcache\advapi32.dll
2009-06-28 01:33 . 2008-05-03 11:55 2560 ------w- c:\windows\system32\xpsp4res.dll
2009-06-28 01:33 . 2008-04-21 12:08 215552 ------w- c:\windows\system32\dllcache\wordpad.exe
2009-06-28 01:25 . 2009-06-28 01:25 -------- d-----w- c:\windows\system32\dllcache\cache
2009-06-27 17:44 . 2009-06-28 21:19 1668 ----a-w- c:\windows\system32\csseqcak.dat
2009-06-27 17:44 . 2009-06-28 15:33 624 ----a-w- c:\windows\system32\msorcn2r.dat
2009-06-27 17:44 . 2009-06-28 15:31 0 ----a-w- c:\windows\system32\LAPRXR.dat
2009-06-26 22:55 . 2009-06-29 06:18 4203 ----a-w- c:\windows\system32\stobjuct.dat
2009-06-26 22:55 . 2009-06-29 06:18 1090 ----a-w- c:\windows\system32\compacui.dat
2009-06-26 22:55 . 2009-06-29 06:18 0 ----a-w- c:\windows\system32\napipyec.dat
2009-06-26 22:55 . 2009-06-28 21:35 396 ----a-w- c:\windows\system32\msxmwrv.dat
2009-06-21 03:49 . 2009-06-21 04:55 -------- d-----w- c:\windows\system32\Adobe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-06-29 01:06 . 2007-07-20 13:40 -------- d-----w- c:\program files\Common Files\Adobe
2009-06-28 07:19 . 2007-04-06 09:35 -------- d-----w- c:\documents and settings\All Users\Application Data\Google Updater
2009-06-28 00:11 . 2009-02-27 23:18 -------- d-----w- c:\program files\Malwarebytes' Anti-Malware
2009-06-27 20:41 . 2008-08-14 18:28 -------- d-----w- c:\program files\Spybot - Search & Destroy
2009-06-17 16:27 . 2009-02-27 23:18 38160 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-06-17 16:27 . 2009-02-27 23:18 19096 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-05-22 00:01 . 2008-06-14 17:50 664 ----a-w- c:\windows\system32\d3d9caps.dat
2009-05-19 04:46 . 2008-01-10 17:22 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstWMP\unins000.exe
2009-05-19 04:46 . 2008-01-10 17:22 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstITW\unins000.exe
2009-05-19 04:45 . 2009-05-19 04:45 -------- d-----w- c:\program files\foobar2000
2009-05-19 04:45 . 2008-01-10 17:22 683801 ----a-w- c:\documents and settings\All Users\Application Data\Last.fm\Client\UninstFoo3\unins000.exe
2009-05-19 04:45 . 2007-04-18 18:45 -------- d-----w- c:\program files\Last.fm
2009-05-17 18:54 . 2007-03-29 02:54 16344 ----a-w- c:\documents and settings\Compaq_Owner\Application Data\wklnhst.dat
2009-05-14 22:36 . 2007-12-27 19:27 -------- d-----w- c:\documents and settings\Compaq_Owner\Application Data\uTorrent
2009-05-07 15:32 . 2007-03-27 01:50 345600 ----a-w- c:\windows\system32\localspl.dll
2009-04-29 04:46 . 2007-03-27 01:56 666624 ----a-w- c:\windows\system32\wininet.dll
2009-04-29 04:46 . 2007-03-27 01:50 81920 ----a-w- c:\windows\system32\ieencode.dll
2009-04-17 12:26 . 2007-03-27 01:56 1847168 ----a-w- c:\windows\system32\win32k.sys
2009-04-15 14:51 . 2007-03-27 01:53 585216 ----a-w- c:\windows\system32\rpcrt4.dll
.

------- Sigcheck -------

[7] 2004-08-04 04:00 14336 8F078AE4ED187AAABC0A305146DE6716 c:\windows\$NtServicePackUninstall$\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\ServicePackFiles\i386\svchost.exe
[7] 2008-04-14 00:12 14336 27C6D03BCDB8CFEB96B716F3D8BE3E18 c:\windows\system32\svchost.exe

[-] 2005-03-02 18:19 577024 1800F293BCCC8EDE8A70E12B88D80036 c:\windows\$hf_mig$\KB890859\SP2QFE\user32.dll
[-] 2007-03-08 15:48 578048 7AA4F6C00405DFC4B70ED4214E7D687B c:\windows\$hf_mig$\KB925902\SP2QFE\user32.dll
[-] 2007-03-08 15:36 577536 B409909F6E2E8A7067076ED748ABF1E7 c:\windows\$NtServicePackUninstall$\user32.dll
[7] 2004-08-04 04:00 577024 C72661F8552ACE7C5C85E16A3CF505C4 c:\windows\$NtUninstallKB890859$\user32.dll
[-] 2005-03-02 18:09 577024 DE2DB164BBB35DB061AF0997E4499054 c:\windows\$NtUninstallKB925902$\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\ServicePackFiles\i386\user32.dll
[7] 2008-04-14 00:12 578560 B26B135FF1B9F60C9388B4A7D16F600B c:\windows\system32\user32.dll

[7] 2004-08-04 04:00 82944 2ED0B7F12A60F90092081C50FA0EC2B2 c:\windows\$NtServicePackUninstall$\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\ServicePackFiles\i386\ws2_32.dll
[7] 2008-04-14 00:12 82432 2CCC474EB85CEAA3E1FA1726580A3E5A c:\windows\system32\ws2_32.dll

[-] 2005-10-21 03:38 661504 AF785C4947676A7FC1673FDC5C8D0B5B c:\windows\$hf_mig$\KB905915\SP2QFE\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$hf_mig$\KB950759\SP3GDR\wininet.dll
[7] 2008-04-21 06:24 666624 26F240C250E5B4B395CB4B178BA75437 c:\windows\$hf_mig$\KB950759\SP3QFE\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$hf_mig$\KB953838\SP3GDR\wininet.dll
[7] 2008-06-23 14:54 666624 972299B7241EC325D8C7E5638C884925 c:\windows\$hf_mig$\KB953838\SP3QFE\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$hf_mig$\KB956390\SP3GDR\wininet.dll
[7] 2008-08-20 04:58 666624 94418F53D2612C26DBADC04DAFBC197C c:\windows\$hf_mig$\KB956390\SP3QFE\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$hf_mig$\KB958215\SP3GDR\wininet.dll
[7] 2008-10-16 01:04 667136 E8FCE58A470999350F64C591557F9E42 c:\windows\$hf_mig$\KB958215\SP3QFE\wininet.dll
[7] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\$hf_mig$\KB969897\SP3QFE\wininet.dll
[7] 2008-10-16 10:20 667648 93C9D0A216498EE14EB9B26119BB95EE c:\windows\$NtServicePackUninstall$\wininet.dll
[7] 2004-08-04 04:00 656384 C0823FC5469663BA63E7DB88F9919D70 c:\windows\$NtUninstallKB905915$\wininet.dll
[-] 2005-10-21 03:39 658432 E7B27B6B6E06CE34EA019FD8B858C613 c:\windows\$NtUninstallKB912945$\wininet.dll
[-] 2006-01-09 18:02 662016 DDE9597A3311748C1519444E2BC147BD c:\windows\$NtUninstallKB928090$\wininet.dll
[-] 2007-01-04 14:05 665088 3FFA1573FC274E5AA7467D03941C45EE c:\windows\$NtUninstallKB931768$\wininet.dll
[-] 2007-02-20 09:52 665600 B258C922D22DEEC880B60720531D7627 c:\windows\$NtUninstallKB933566$\wininet.dll
[-] 2007-04-18 12:46 665600 4261BA03AFD659DE04F0A17DFBDD454D c:\windows\$NtUninstallKB937143$\wininet.dll
[-] 2007-06-26 14:35 665600 E1A3DD68B5380B360A7310A64D9BB188 c:\windows\$NtUninstallKB939653$\wininet.dll
[-] 2007-08-22 12:55 665600 A1BC17EB3758D73C3938B2318820F5B4 c:\windows\$NtUninstallKB942615$\wininet.dll
[-] 2007-10-11 05:57 666112 80D660A49E0D118144423099B2A9F5DA c:\windows\$NtUninstallKB944533$\wininet.dll
[-] 2007-12-07 00:44 666112 085A7C37F9C6EDE1BA870B7DBEC06399 c:\windows\$NtUninstallKB947864$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\$NtUninstallKB950759$\wininet.dll
[-] 2008-02-16 09:32 666112 BB1EACD6AB47E78EBCA02EB781550D55 c:\windows\$NtUninstallKB950759_0$\wininet.dll
[7] 2008-04-21 06:44 666112 2B0C24AA747A93A28987B6D65A4A74BC c:\windows\$NtUninstallKB953838$\wininet.dll
[7] 2008-04-21 06:56 666624 2E7DE1BF9418B071799EB53DE8CC22F5 c:\windows\$NtUninstallKB953838_0$\wininet.dll
[7] 2008-06-23 15:09 666112 F12FBB673DE9CC802C5DC518FE99AA2F c:\windows\$NtUninstallKB956390$\wininet.dll
[7] 2008-06-23 16:12 667136 611ACE3F4201E9610AF8452F7C268995 c:\windows\$NtUninstallKB956390_0$\wininet.dll
[7] 2008-08-20 05:30 666112 9AF5F25124FBDC36E2B510729CBA2674 c:\windows\$NtUninstallKB958215$\wininet.dll
[7] 2008-08-20 05:33 667648 C91E3A6EF094202F6B5CA8960DFCF243 c:\windows\$NtUninstallKB958215_0$\wininet.dll
[7] 2008-10-16 01:00 666112 1576318BF08D28CC61D1278114AD8D5B c:\windows\$NtUninstallKB969897$\wininet.dll
[7] 2008-04-14 00:12 666112 7A4F775ABB2F1C97DEF3E73AFA2FAEDD c:\windows\ServicePackFiles\i386\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\sp3gdr\wininet.dll
[7] 2009-04-29 04:21 668160 04BCB4F87B35502568F6CF33433543A5 c:\windows\SoftwareDistribution\Download\a9c8e00397fe4457a25305c397dc3358\sp3qfe\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\system32\wininet.dll
[7] 2009-04-29 04:46 666624 6002073519FA478BF89977369CDFD156 c:\windows\system32\dllcache\wininet.dll

[-] 2005-03-14 01:17 359936 6129E70F3D2F1E60860C930EBEAF92C2 c:\windows\$hf_mig$\KB893066\SP2QFE\tcpip.sys
[-] 2006-04-20 12:18 360576 B2220C618B42A2212A59D91EBD6FC4B4 c:\windows\$hf_mig$\KB917953\SP2QFE\tcpip.sys
[-] 2007-10-30 16:53 360832 64798ECFA43D78C7178375FCDD16D8C8 c:\windows\$hf_mig$\KB941644\SP2QFE\tcpip.sys
[7] 2008-06-20 10:44 360960 744E57C99232201AE98C49168B918F48 c:\windows\$hf_mig$\KB951748\SP2QFE\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\$hf_mig$\KB951748\SP3GDR\tcpip.sys
[7] 2008-06-20 11:59 361600 AD978A1B783B5719720CFF204B666C8E c:\windows\$hf_mig$\KB951748\SP3QFE\tcpip.sys
[7] 2008-06-20 10:45 360320 2A5554FC5B1E04E131230E3CE035C3F9 c:\windows\$NtServicePackUninstall$\tcpip.sys
[7] 2004-08-04 04:00 359040 9F4B36614A0FC234525BA224957DE55C c:\windows\$NtUninstallKB893066$\tcpip.sys
[-] 2005-03-14 00:55 359808 0E66B538096A6529D1AC66E78EB0D5C8 c:\windows\$NtUninstallKB917953$\tcpip.sys
[-] 2006-04-20 11:51 359808 1DBF125862891817F374F407626967F4 c:\windows\$NtUninstallKB941644$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\$NtUninstallKB951748$\tcpip.sys
[-] 2007-10-30 17:20 360064 90CAFF4B094573449A0872A0F919B178 c:\windows\$NtUninstallKB951748_0$\tcpip.sys
[7] 2008-04-13 19:20 361344 93EA8D04EC73A85DB02EB8805988F733 c:\windows\ServicePackFiles\i386\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\dllcache\tcpip.sys
[7] 2008-06-20 11:51 361600 9AEFA14BD6B182D61E3119FA5F436D3D c:\windows\system32\drivers\tcpip.sys

[7] 2004-08-04 04:00 502272 01C3346C241652F43AED8E2149881BFE c:\windows\$NtServicePackUninstall$\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\ServicePackFiles\i386\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\winlogon.exe
[7] 2008-04-14 00:12 507904 ED0EF0A136DEC83DF69F04118870003E c:\windows\system32\dllcache\winlogon.exe

[7] 2004-08-04 04:00 182912 558635D3AF1C7546D26067D5D9B6959E c:\windows\$NtServicePackUninstall$\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\ServicePackFiles\i386\ndis.sys
[7] 2008-04-13 19:20 182656 1DF7F42665C94B825322FAE71721130D c:\windows\system32\drivers\ndis.sys

[7] 2004-08-04 04:00 29056 4448006B6BC60E6C027932CFC38D6855 c:\windows\$NtServicePackUninstall$\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\ServicePackFiles\i386\ip6fw.sys
[7] 2008-04-13 18:53 36608 3BB22519A194418D5FEC05D800A19AD0 c:\windows\system32\drivers\ip6fw.sys

[-] 2005-03-02 00:36 2056832 D8ABA3EAB509627E707A3B14F00FBB6B c:\windows\$hf_mig$\KB890859\SP2QFE\ntkrnlpa.exe
[-] 2006-12-19 16:12 2059392 BA4B97C00A437C1CC3DA365D93EE1E9D c:\windows\$hf_mig$\KB929338\SP2QFE\ntkrnlpa.exe
[-] 2007-02-28 09:15 2059392 4D3DBDCCBF97F5BA1E74F322B155C3BA c:\windows\$hf_mig$\KB931784\SP2QFE\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\$hf_mig$\KB956572\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:18 2062976 63EC865DFF6CCFC7BEF94B5C50297CAD c:\windows\$hf_mig$\KB956841\SP2QFE\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$hf_mig$\KB956841\SP3GDR\ntkrnlpa.exe
[7] 2008-08-14 20:39 2066048 A25E9B86EFFB2AF33BF51E676B68BFB0 c:\windows\$hf_mig$\KB956841\SP3QFE\ntkrnlpa.exe
[7] 2008-08-14 09:22 2057728 BA002228743B6824D87F0551DBC86D45 c:\windows\$NtServicePackUninstall$\ntkrnlpa.exe
[7] 2004-08-04 11:00 2056832 947FB1D86D14AFCFFDB54BF837EC25D0 c:\windows\$NtUninstallKB890859$\ntkrnlpa.exe
[-] 2005-03-02 00:34 2056832 81013F36B21C7F72CF784CC6731E0002 c:\windows\$NtUninstallKB929338$\ntkrnlpa.exe
[-] 2006-12-19 12:55 2057600 1D659BFB788ED2BA45075624B748D249 c:\windows\$NtUninstallKB931784$\ntkrnlpa.exe
[7] 2008-08-14 09:33 2066048 4AC58F03EB94A72809949D757FC39D80 c:\windows\$NtUninstallKB956572$\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\$NtUninstallKB956841$\ntkrnlpa.exe
[-] 2007-02-28 08:38 2057600 515D30E2C90A3665A2739309334C9283 c:\windows\$NtUninstallKB956841_0$\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\Driver Cache\i386\ntkrnlpa.exe
[7] 2008-04-13 18:31 2065792 109F8E3E3C82E337BB71B6BC9B895D61 c:\windows\ServicePackFiles\i386\ntkrnlpa.exe
[7] 2009-02-06 16:49 2057728 3006410E24772CC6953F0B5C01BEB35F c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntkrnlpa.exe
[7] 2009-02-06 09:49 2062976 9D832AF3FD1917DB0E1E8B2F000A2E3A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntkrnlpa.exe
[7] 2009-02-06 10:30 2066176 607352B9CB3D708C67F6039097801B5A c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\ntkrnlpa.exe
[7] 2009-02-08 00:02 2066048 5BA7F2141BC6DB06100D0E5A732C617A c:\windows\system32\dllcache\ntkrnlpa.exe

[-] 2005-03-02 01:04 2179456 28187802B7C368C0D3AEF7D4C382AABB c:\windows\$hf_mig$\KB890859\SP2QFE\ntoskrnl.exe
[-] 2006-12-19 16:51 2182016 CEF243F6DEFD20BE4ADDE26C7ECACB54 c:\windows\$hf_mig$\KB929338\SP2QFE\ntoskrnl.exe
[-] 2007-02-28 09:55 2182144 5A5C8DB4AA962C714C8371FBDF189FC9 c:\windows\$hf_mig$\KB931784\SP2QFE\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\$hf_mig$\KB956572\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 09:57 2185984 CE69DBD54221F2D40E49FF6DB77C6507 c:\windows\$hf_mig$\KB956841\SP2QFE\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$hf_mig$\KB956841\SP3GDR\ntoskrnl.exe
[7] 2008-08-14 21:11 2189184 31914172342BFF330063F343AC6958FE c:\windows\$hf_mig$\KB956841\SP3QFE\ntoskrnl.exe
[7] 2008-08-14 10:00 2180352 21C91DA9CB53AA8A37041BA9684A8458 c:\windows\$NtServicePackUninstall$\ntoskrnl.exe
[7] 2004-08-04 04:00 2180992 CE218BC7088681FAA06633E218596CA7 c:\windows\$NtUninstallKB890859$\ntoskrnl.exe
[-] 2005-03-02 00:59 2179328 4D4CF2C14550A4B7718E94A6E581856E c:\windows\$NtUninstallKB929338$\ntoskrnl.exe
[-] 2006-12-19 14:17 2180352 8F0DEAB1F81FB83F9C5995853CE48B9F c:\windows\$NtUninstallKB931784$\ntoskrnl.exe
[7] 2008-08-14 10:11 2189184 EEAF32F8E15A24F62BECB1BD403BB5C5 c:\windows\$NtUninstallKB956572$\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\$NtUninstallKB956841$\ntoskrnl.exe
[-] 2007-02-28 09:10 2180352 582A8DBAA58C3B1F176EB2817DAEE77C c:\windows\$NtUninstallKB956841_0$\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\Driver Cache\i386\ntoskrnl.exe
[7] 2008-04-13 19:27 2188928 0C89243C7C3EE199B96FCC16990E0679 c:\windows\ServicePackFiles\i386\ntoskrnl.exe
[7] 2009-02-06 17:24 2180480 FACEBB0CA3154F77009CDFEE78A00BBB c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\ntoskrnl.exe
[7] 2009-02-06 10:32 2186112 6A936E9D7BADAF3CAAEED1E1966EC1B0 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\ntoskrnl.exe
[7] 2009-02-08 00:35 2189184 EFE8EACE83EAAD5849A7A548FB75B584 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\ntoskrnl.exe
[7] 2009-02-06 11:08 2189056 7A95B10A73737EBF24139AAA63F5212B c:\windows\system32\dllcache\ntoskrnl.exe

[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\explorer.exe
[-] 2007-06-13 11:26 1033216 7712DF0CDDE3A5AC89843E61CD5B3658 c:\windows\$hf_mig$\KB938828\SP2QFE\explorer.exe
[-] 2007-06-13 10:23 1033216 97BD6515465659FF8F3B7BE375B2EA87 c:\windows\$NtServicePackUninstall$\explorer.exe
[7] 2004-08-04 04:00 1032192 A0732187050030AE399B241436565E64 c:\windows\$NtUninstallKB938828$\explorer.exe
[7] 2008-04-14 00:12 1033728 12896823FB95BFB3DC9B46BCAEDC9923 c:\windows\ServicePackFiles\i386\explorer.exe

[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\$hf_mig$\KB956572\SP3QFE\services.exe
[7] 2004-08-04 04:00 108032 C6CE6EEC82F187615D1002BB3BB50ED4 c:\windows\$NtServicePackUninstall$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\$NtUninstallKB956572$\services.exe
[7] 2008-04-14 00:12 108544 0E776ED5F7CC9F94299E70461B7B8185 c:\windows\ServicePackFiles\i386\services.exe
[7] 2009-02-06 17:14 110592 37561F8D4160D62DA86D24AE41FAE8DE c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2GDR\services.exe
[7] 2009-02-06 10:22 110592 4712531AB7A01B7EE059853CA17D39BD c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP2QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3GDR\services.exe
[7] 2009-02-06 11:06 110592 020CEAAEDC8EB655B6506B8C70D53BB6 c:\windows\SoftwareDistribution\Download\51401b498f4675531d9efb941ee01ef3\SP3QFE\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\services.exe
[7] 2009-02-06 11:11 110592 65DF52F5B8B6E9BBD183505225C37315 c:\windows\system32\dllcache\services.exe

[7] 2004-08-04 04:00 13312 84885F9B82F4D55C6146EBF6065D75D2 c:\windows\$NtServicePackUninstall$\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\ServicePackFiles\i386\lsass.exe
[7] 2008-04-14 00:12 13312 BF2466B3E18E970D8A976FB95FC1CA85 c:\windows\system32\lsass.exe

[7] 2004-08-04 04:00 15360 24232996A38C0B0CF151C2140AE29FC8 c:\windows\$NtServicePackUninstall$\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\ServicePackFiles\i386\ctfmon.exe
[7] 2008-04-14 00:12 15360 5F1D5F88303D4A4DBC8E5F97BA967CC3 c:\windows\system32\ctfmon.exe

[-] 2005-06-11 00:17 57856 AD3D9D191AEA7B5445FE1D82FFBB4788 c:\windows\$hf_mig$\KB896423\SP2QFE\spoolsv.exe
[-] 2005-06-10 23:53 57856 DA81EC57ACD4CDC3D4C51CF3D409AF9F c:\windows\$NtServicePackUninstall$\spoolsv.exe
[7] 2004-08-04 04:00 57856 7435B108B935E42EA92CA94F59C8E717 c:\windows\$NtUninstallKB896423$\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\ServicePackFiles\i386\spoolsv.exe
[7] 2008-04-14 00:12 57856 D8E14A61ACC1D4A6CD0D38AEBAC7FA3B c:\windows\system32\spoolsv.exe

[7] 2008-04-14 00:12 111104 ED7262E52C31CF1625B65039102BC16C c:\windows\ServicePackFiles\i386\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\wuauclt.exe
[7] 2008-10-16 20:09 51224 E654B78D2F1D791B30D0ED9A8195EC22 c:\windows\system32\dllcache\wuauclt.exe

[7] 2004-08-04 04:00 24576 39B1FFB03C2296323832ACBAE50D2AFF c:\windows\$NtServicePackUninstall$\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\ServicePackFiles\i386\userinit.exe
[7] 2008-04-14 00:12 26112 A93AEE1928A9D7CE3E16D24EC7380F89 c:\windows\system32\userinit.exe

[7] 2004-08-04 04:00 295424 B60C877D16D9C880B952FDA04ADF16E6 c:\windows\$NtServicePackUninstall$\termsrv.dll
[7] 2008-04-14 00:12 295424 FF3477C03BE7201C294C35F684B3479F c:\windows\ServicePackFiles\i386\termsrv.dll
[-] 2009-03-14 17:26 295424 63999D0ABD8DABFD76A9C07F6E104868 c:\windows\system32\termsrv.dll

[-] 2006-07-05 10:57 985088 0FDD84928A5DDE2510761B7EC76CCEC9 c:\windows\$hf_mig$\KB917422\SP2QFE\kernel32.dll
[-] 2007-04-16 16:07 986112 09F7CB3687F86EDAA4CA081F7AB66C03 c:\windows\$hf_mig$\KB935839\SP2QFE\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\$hf_mig$\KB959426\SP3QFE\kernel32.dll
[-] 2007-04-16 15:52 984576 A01F9CA902A88F7CED06884174D6419D c:\windows\$NtServicePackUninstall$\kernel32.dll
[7] 2004-08-04 04:00 983552 888190E31455FAD793312F8D087146EB c:\windows\$NtUninstallKB917422$\kernel32.dll
[-] 2006-07-05 10:55 984064 D8DB5397DE07577C1CB50BA6D23B3AD4 c:\windows\$NtUninstallKB935839$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\$NtUninstallKB959426$\kernel32.dll
[7] 2008-04-14 00:11 989696 C24B983D211C34DA8FCC1AC38477971D c:\windows\ServicePackFiles\i386\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3gdr\kernel32.dll
[7] 2009-03-21 13:59 991744 DA11D9D6ECBDF0F93436A4B7C13F7BEC c:\windows\SoftwareDistribution\Download\022593ca08eb4cd8e9681a7116f902d9\sp3qfe\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\kernel32.dll
[7] 2009-03-21 14:06 989696 B921FB870C9AC0D509B2CCABBBBE95F3 c:\windows\system32\dllcache\kernel32.dll

[7] 2004-08-04 04:00 17408 1B5F6923ABB450692E9FE0672C897AED c:\windows\$NtServicePackUninstall$\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\ServicePackFiles\i386\powrprof.dll
[7] 2008-04-14 00:12 17408 50A166237A0FA771261275A405646CC0 c:\windows\system32\powrprof.dll

[7] 2004-08-04 04:00 110080 87CA7CE6469577F059297B9D6556D66D c:\windows\$NtServicePackUninstall$\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\ServicePackFiles\i386\imm32.dll
[7] 2008-04-14 00:11 110080 0DA85218E92526972A821587E6A8BF8F c:\windows\system32\imm32.dll

[7] 2004-08-04 04:00 1580544 30A609E00BD1D4FFC49D6B5A432BE7F2 c:\windows\$NtServicePackUninstall$\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\ServicePackFiles\i386\sfcfiles.dll
[7] 2008-04-14 00:12 1614848 9DD07AF82244867CA36681EA2D29CE79 c:\windows\system32\sfcfiles.dll


[7] 2004-08-04 04:00 24576 EBDEE8A2EE5393890A1ACEE971C4C246 c:\windows\$NtServicePackUninstall$\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\ServicePackFiles\i386\kbdclass.sys
[7] 2008-04-13 18:39 24576 463C1EC80CD17420A542B7F36A36F128 c:\windows\system32\drivers\kbdclass.sys
.
((((((((((((((((((((((((((((( SnapShot@2009-06-28_01.21.40 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-03-27 04:44 . 2008-07-09 07:38 26488 c:\windows\system32\spupdsvc.exe
- 2007-03-27 04:44 . 2007-08-11 01:46 26488 c:\windows\system32\spupdsvc.exe
- 2008-01-09 09:00 . 2007-11-30 11:18 17272 c:\windows\system32\spmsg.dll
+ 2008-01-09 09:00 . 2007-11-30 12:39 17272 c:\windows\system32\spmsg.dll
+ 2007-03-27 01:53 . 2009-02-03 19:59 56832 c:\windows\system32\secur32.dll
+ 2007-03-27 01:53 . 2009-02-06 10:39 35328 c:\windows\system32\sc.exe
- 2005-12-05 06:55 . 2009-03-08 10:02 54484 c:\windows\system32\perfc009.dat
+ 2005-12-05 06:55 . 2009-06-28 03:31 54484 c:\windows\system32\perfc009.dat
- 2007-03-27 01:51 . 2008-04-14 00:12 91648 c:\windows\system32\mtxoci.dll
+ 2007-03-27 01:51 . 2008-06-12 14:23 91648 c:\windows\system32\mtxoci.dll
+ 2007-03-27 01:51 . 2008-06-12 14:23 66560 c:\windows\system32\mtxclu.dll
- 2007-03-27 01:51 . 2008-04-14 00:12 66560 c:\windows\system32\mtxclu.dll
+ 2007-03-27 01:51 . 2008-06-12 14:23 58880 c:\windows\system32\msdtclog.dll
- 2007-03-27 01:51 . 2008-04-14 00:11 58880 c:\windows\system32\msdtclog.dll
+ 2006-01-03 23:14 . 2006-01-03 23:14 20480 c:\windows\system32\Macromed\Flash\UninstFl.exe
+ 2006-01-21 21:01 . 2006-01-21 21:01 25088 c:\windows\system32\Macromed\Flash\genuinst.exe
+ 2009-02-03 19:59 . 2009-02-03 19:59 56832 c:\windows\system32\dllcache\secur32.dll
+ 2007-03-27 01:53 . 2009-02-06 10:39 35328 c:\windows\system32\dllcache\sc.exe
+ 2008-06-12 14:23 . 2008-06-12 14:23 91648 c:\windows\system32\dllcache\mtxoci.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 66560 c:\windows\system32\dllcache\mtxclu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 58880 c:\windows\system32\dllcache\msdtclog.dll
+ 2009-04-29 04:46 . 2009-04-29 04:46 81920 c:\windows\system32\dllcache\ieencode.dll
+ 2005-12-05 06:50 . 2009-06-29 00:59 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-12-05 06:50 . 2009-06-28 01:20 32768 c:\windows\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2005-12-04 22:43 . 2009-06-28 01:20 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2005-12-04 22:43 . 2009-06-29 00:59 32768 c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2005-12-04 22:43 . 2009-06-28 01:20 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
+ 2005-12-04 22:43 . 2009-06-29 00:59 16384 c:\windows\system32\config\systemprofile\Cookies\index.dat
- 2007-03-27 01:56 . 2008-04-14 00:12 354304 c:\windows\system32\winhttp.dll
+ 2007-03-27 01:56 . 2008-12-16 12:30 354304 c:\windows\system32\winhttp.dll
+ 2007-03-27 01:56 . 2009-02-06 10:10 227840 c:\windows\system32\wbem\wmiprvse.exe
+ 2007-03-27 01:56 . 2009-02-09 12:10 453120 c:\windows\system32\wbem\wmiprvsd.dll
+ 2007-03-27 01:49 . 2009-02-09 12:10 473600 c:\windows\system32\wbem\fastprox.dll
+ 2007-03-27 01:56 . 2009-04-29 04:46 620032 c:\windows\system32\urlmon.dll
+ 2007-03-27 01:53 . 2009-02-09 12:10 401408 c:\windows\system32\rpcss.dll
- 2005-12-05 06:55 . 2009-03-08 10:02 384926 c:\windows\system32\perfh009.dat
+ 2005-12-05 06:55 . 2009-06-28 03:31 384926 c:\windows\system32\perfh009.dat
- 2007-03-27 01:52 . 2008-04-14 00:12 284160 c:\windows\system32\pdh.dll
+ 2007-03-27 01:52 . 2009-03-06 14:22 284160 c:\windows\system32\pdh.dll
+ 2004-08-04 11:00 . 2009-02-09 12:10 714752 c:\windows\system32\ntdll.dll
- 2007-03-27 01:51 . 2008-04-14 00:11 161792 c:\windows\system32\msdtcuiu.dll
+ 2007-03-27 01:51 . 2008-06-12 14:23 161792 c:\windows\system32\msdtcuiu.dll
- 2007-03-27 01:51 . 2008-04-14 00:11 956928 c:\windows\system32\msdtctm.dll
+ 2007-03-27 01:51 . 2008-06-12 14:23 956928 c:\windows\system32\msdtctm.dll
+ 2007-03-27 01:51 . 2008-06-12 14:23 428032 c:\windows\system32\msdtcprx.dll
+ 2007-03-27 01:50 . 2009-02-09 12:10 729088 c:\windows\system32\lsasrv.dll
+ 2005-12-05 06:53 . 2009-06-28 03:27 172280 c:\windows\system32\FNTCACHE.DAT
- 2005-12-05 06:53 . 2009-03-11 15:14 172280 c:\windows\system32\FNTCACHE.DAT
+ 2008-12-16 12:30 . 2008-12-16 12:30 354304 c:\windows\system32\dllcache\winhttp.dll
+ 2008-06-26 08:15 . 2009-04-29 04:46 620032 c:\windows\system32\dllcache\urlmon.dll
+ 2009-04-15 14:51 . 2009-04-15 14:51 585216 c:\windows\system32\dllcache\rpcrt4.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 161792 c:\windows\system32\dllcache\msdtcuiu.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 956928 c:\windows\system32\dllcache\msdtctm.dll
+ 2008-06-12 14:23 . 2008-06-12 14:23 428032 c:\windows\system32\dllcache\msdtcprx.dll
+ 2009-05-07 15:32 . 2009-05-07 15:32 345600 c:\windows\system32\dllcache\localspl.dll
- 2007-03-27 03:52 . 2008-04-14 00:11 617472 c:\windows\system32\advapi32.dll
+ 2007-03-27 03:52 . 2009-02-09 12:10 617472 c:\windows\system32\advapi32.dll
+ 2009-06-29 01:06 . 2009-06-29 01:06 295606 c:\windows\Installer\{AC76BA86-7AD7-1033-7B44-A81300000003}\SC_Reader.exe
+ 2007-03-27 01:53 . 2009-04-29 04:46 1499136 c:\windows\system32\shdocvw.dll
- 2007-03-27 01:53 . 2008-10-16 01:00 1499136 c:\windows\system32\shdocvw.dll
- 2007-03-27 01:52 . 2008-05-07 05:12 1288192 c:\windows\system32\quartz.dll
+ 2007-03-27 01:52 . 2008-12-20 22:14 1288192 c:\windows\system32\quartz.dll
+ 2007-03-27 01:51 . 2009-04-29 04:46 3068928 c:\windows\system32\mshtml.dll
+ 2008-10-15 15:55 . 2009-04-17 12:26 1847168 c:\windows\system32\dllcache\win32k.sys
+ 2007-03-27 01:53 . 2009-04-29 04:46 1499136 c:\windows\system32\dllcache\shdocvw.dll
- 2007-03-27 01:53 . 2008-10-16 01:00 1499136 c:\windows\system32\dllcache\shdocvw.dll
- 2008-05-07 05:12 . 2008-05-07 05:12 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-05-07 05:12 . 2008-12-20 22:14 1288192 c:\windows\system32\dllcache\quartz.dll
+ 2008-10-15 15:55 . 2009-02-06 10:32 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
- 2008-10-15 15:55 . 2008-08-14 09:33 2023936 c:\windows\system32\dllcache\ntkrpamp.exe
+ 2008-10-15 15:55 . 2009-02-06 11:06 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
- 2008-10-15 15:55 . 2008-08-14 10:09 2145280 c:\windows\system32\dllcache\ntkrnlmp.exe
+ 2008-04-21 06:44 . 2009-04-29 04:46 3068928 c:\windows\system32\dllcache\mshtml.dll
+ 2008-10-15 15:55 . 2009-02-06 10:32 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 15:55 . 2008-08-14 09:33 2023936 c:\windows\Driver Cache\i386\ntkrpamp.exe
- 2008-10-15 15:55 . 2008-08-14 10:09 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2008-10-15 15:55 . 2009-02-06 11:06 2145280 c:\windows\Driver Cache\i386\ntkrnlmp.exe
+ 2009-06-28 01:52 . 2009-06-01 14:51 23635392 c:\windows\system32\MRT.exe
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\msxmwrv]
@="{0F84B84C-B3F8-A9F3-65A9-1B98D1A26C3E}"
[HKEY_CLASSES_ROOT\CLSID\{0F84B84C-B3F8-A9F3-65A9-1B98D1A26C3E}]
2004-08-04 04:00 131072 ----a-w- c:\windows\system32\msxmwrv.ocx

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-14 15360]
"swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-04-06 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Recguard"="c:\windows\SMINST\RECGUARD.EXE" [2005-07-22 237568]
"HPBootOp"="c:\program files\Hewlett-Packard\HP Boot Optimizer\HPBootOp.exe" [2006-02-15 249856]
"QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2007-02-16 282624]
"HP Software Update"="c:\program files\Hp\HP Software Update\HPWuSchd2.exe" [2007-05-08 54840]
"Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-10-15 39792]
"RTHDCPL"="RTHDCPL.EXE" - c:\windows\RTHDCPL.EXE [2006-03-08 16010240]

c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\
Last.fm Helper.lnk - c:\program files\Last.fm\LastFMHelper.exe [2007-8-5 106496]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Compaq Connections.lnk - c:\program files\Compaq Connections\5577497\Program\Compaq Connections.exe [2007-3-27 36903]
NETGEAR WPN111 Smart Wizard.lnk - c:\program files\NETGEAR\WPN111\wpn111.exe [2009-2-2 884838]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"ForceStartMenuLogOff"= 1 (0x1)
"NoChangeAnimation"= 0 (0x0)
"NoThumbnailCache"= 1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\disallowrun]
"1"= QQ.exe
"2"= QQexternal.exe
"3"= QQGame.exe
"4"= QQPetDazzle.exe

[HKLM\~\startupfolder\C:^Documents and Settings^Compaq_Owner^Start Menu^Programs^Startup^Last.fm Helper.lnk]
path=c:\documents and settings\Compaq_Owner\Start Menu\Programs\Startup\Last.fm Helper.lnk
backup=c:\windows\pss\Last.fm Helper.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"c:\\Program Files\\Compaq Connections\\5577497\\Program\\Compaq Connections.exe"=
"c:\\Program Files\\iTunes\\iTunes.exe"=
"c:\\StubInstaller.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\Last.fm\\LastFM.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"%windir%\\system32\\drivers\\svchost.exe"=

R1 totalio;TotalIO;c:\windows\system32\drivers\totalio.sys [12/22/2007 3:09 PM 2358]
R3 DNINDIS5;DNINDIS5 NDIS Protocol Driver;c:\windows\system32\DNINDIS5.sys [10/3/2008 2:09 PM 17149]
R3 WPN111;Wireless USB 2.0 Adapter with RangeMax Service;c:\windows\system32\drivers\WPN111.sys [2/2/2009 9:00 PM 362944]
S3 SQTECH9090;TOP Cam;c:\windows\system32\drivers\Capt9090.sys [1/25/2009 2:39 AM 48384]
.
Contents of the 'Scheduled Tasks' folder

2009-06-22 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2007-01-10 21:42]

2009-06-29 c:\windows\Tasks\Google Software Updater.job
- c:\program files\Google\Common\Google Updater\GoogleUpdaterService.exe [2007-03-28 02:57]
.
.
------- Supplementary Scan -------
.
uSearch Page = hxxp://www.google.com
uSearch Bar = hxxp://www.google.com/ie
mDefault_Search_URL = hxxp://www.google.com/ie
uSearchAssistant = hxxp://www.google.com/ie
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
mSearchAssistant = hxxp://www.google.com/ie
IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
FF - ProfilePath - c:\documents and settings\Compaq_Owner\Application Data\Mozilla\Firefox\Profiles\2dlck6br.default\
FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
FF - prefs.js: browser.search.selectedEngine - Wikipedia (en)
FF - plugin: c:\program files\Google\Google Updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava11.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava12.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava13.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava14.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJava32.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPJPI150_05.dll
FF - plugin: c:\program files\Java\jre1.5.0_05\bin\NPOJI610.dll
FF - plugin: c:\program files\Picasa2\npPicasa2.dll
FF - plugin: c:\windows\system32\C2MP\npdivx32.dll
.

**************************************************************************

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-06-29 01:18
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(656)
c:\windows\system32\Ati2evxx.dll

- - - - - - - > 'explorer.exe'(2492)
c:\windows\system32\WPDShServiceObj.dll
c:\windows\system32\PortableDeviceTypes.dll
c:\windows\system32\PortableDeviceApi.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\ati2evxx.exe
c:\windows\system32\ati2evxx.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
.
**************************************************************************
.
Completion time: 2009-06-29 1:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-06-29 06:25
ComboFix2.txt 2009-06-28 01:29

Pre-Run: 46,490,497,024 bytes free
Post-Run: 46,485,016,576 bytes free

445 --- E O F --- 2009-06-28 01:55




OK, HERE IS THE VirusTotal scan of c:\windows\system32\stobjuct.dat :

Result: 0/41 (0%)

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.29 -
AhnLab-V3 5.0.0.2 2009.06.29 -
AntiVir 7.9.0.199 2009.06.28 -
Antiy-AVL 2.0.3.1 2009.06.29 -
Authentium 5.1.2.4 2009.06.28 -
Avast 4.8.1335.0 2009.06.28 -
AVG 8.5.0.339 2009.06.28 -
BitDefender 7.2 2009.06.29 -
CAT-QuickHeal 10.00 2009.06.26 -
ClamAV 0.94.1 2009.06.29 -
Comodo 1481 2009.06.29 -
DrWeb 5.0.0.12182 2009.06.29 -
eSafe 7.0.17.0 2009.06.28 -
eTrust-Vet 31.6.6582 2009.06.26 -
F-Prot 4.4.4.56 2009.06.28 -
F-Secure 8.0.14470.0 2009.06.29 -
Fortinet 3.117.0.0 2009.06.29 -
GData 19 2009.06.29 -
Ikarus T3.1.1.64.0 2009.06.29 -
Jiangmin 11.0.706 2009.06.29 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.29 -
McAfee 5660 2009.06.28 -
McAfee+Artemis 5660 2009.06.28 -
McAfee-GW-Edition 6.7.6 2009.06.28 -
Microsoft 1.4803 2009.06.29 -
NOD32 4194 2009.06.28 -
Norman 6.01.09 2009.06.26 -
nProtect 2009.1.8.0 2009.06.29 -
Panda 10.0.0.16 2009.06.28 -
PCTools 4.4.2.0 2009.06.28 -
Prevx 3.0 2009.06.29 -
Rising 21.36.00.00 2009.06.29 -
Sophos 4.43.0 2009.06.29 -
Sunbelt 3.2.1858.2 2009.06.28 -
Symantec 1.4.4.12 2009.06.29 -
TheHacker 6.3.4.3.356 2009.06.27 -
TrendMicro 8.950.0.1094 2009.06.29 -
VBA32 3.12.10.7 2009.06.29 -
ViRobot 2009.6.29.1809 2009.06.29 -
VirusBuster 4.6.5.0 2009.06.28 -
Additional information
File size: 4403 bytes
MD5...: 4fa78e12f0915bf0cca5e59856c66c4d
SHA1..: b51da6c5fb3177ff98ce4f9308160600fafa4061
SHA256: dd2cd1976d27db8a6e363b0effe363ad42a1000fdb95b5adac7699febd1c2416
ssdeep: 96:Eklj5p5OdDrNYZCT/JXZmCvKlEUv5Jjtl4jESO3pfiMKOrG:E29ADRXLtZmUK
lbhJjb4jd65w
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-


And here is the VirusTotal scan for c:\windows\system32\msorcn2r.dat :

Result: 0/41 (0%)

Antivirus Version Last Update Result
a-squared 4.5.0.18 2009.06.29 -
AhnLab-V3 5.0.0.2 2009.06.29 -
AntiVir 7.9.0.199 2009.06.28 -
Antiy-AVL 2.0.3.1 2009.06.29 -
Authentium 5.1.2.4 2009.06.28 -
Avast 4.8.1335.0 2009.06.28 -
AVG 8.5.0.339 2009.06.28 -
BitDefender 7.2 2009.06.29 -
CAT-QuickHeal 10.00 2009.06.29 -
ClamAV 0.94.1 2009.06.29 -
Comodo 1481 2009.06.29 -
DrWeb 5.0.0.12182 2009.06.29 -
eSafe 7.0.17.0 2009.06.28 -
eTrust-Vet 31.6.6582 2009.06.26 -
F-Prot 4.4.4.56 2009.06.28 -
F-Secure 8.0.14470.0 2009.06.29 -
Fortinet 3.117.0.0 2009.06.29 -
GData 19 2009.06.29 -
Ikarus T3.1.1.64.0 2009.06.29 -
Jiangmin 11.0.706 2009.06.29 -
K7AntiVirus 7.10.768 2009.06.19 -
Kaspersky 7.0.0.125 2009.06.29 -
McAfee 5660 2009.06.28 -
McAfee+Artemis 5660 2009.06.28 -
McAfee-GW-Edition 6.7.6 2009.06.28 -
Microsoft 1.4803 2009.06.29 -
NOD32 4194 2009.06.28 -
Norman 6.01.09 2009.06.26 -
nProtect 2009.1.8.0 2009.06.29 -
Panda 10.0.0.16 2009.06.28 -
PCTools 4.4.2.0 2009.06.28 -
Prevx 3.0 2009.06.29 -
Rising 21.36.00.00 2009.06.29 -
Sophos 4.43.0 2009.06.29 -
Sunbelt 3.2.1858.2 2009.06.28 -
Symantec 1.4.4.12 2009.06.29 -
TheHacker 6.3.4.3.356 2009.06.27 -
TrendMicro 8.950.0.1094 2009.06.29 -
VBA32 3.12.10.7 2009.06.29 -
ViRobot 2009.6.29.1809 2009.06.29 -
VirusBuster 4.6.5.0 2009.06.28 -
Additional information
File size: 624 bytes
MD5...: 75641f6da4ca49b1a90197c96d4f912d
SHA1..: 9da97b2030a17512dad89b473b014d9715cf6543
SHA256: 33f85e7e09dbccd14a97f007fefb04c8e62732a5d65f8f489e9d5bb5809e8b89
ssdeep: 12:6D+MS88ETOWVFYqKduxwIpV/ZViNMxdhv2dxXaQNb8Xr3Xo5c9vOVIkn6li6j
mVA:6DG88Ed+EmQ/fiNk52yQeXVvOVvn/Umm
PEiD..: -
TrID..: File type identification
Unknown!
PEInfo: -
PDFiD.: -
RDS...: NSRL Reference Data Set
-


C:\combofix.txt
C:\QooBox\Add-Remove Programs.txt <--attached
Virustotal report <--attached

I hope this helps!
Attached Files
File Type: txt Add-Remove Programs.txt (4.4 KB, 1 views)
Mechrobioticon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-29-2009, 09:50 AM   #6 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,469
OS: Vista, Linux Mint


Re: Overclick.cn Spyware
hi.

Quote:
I guess I'm lucky. I don't use this computer for financial transactions, and as a matter of policy I don't own a credit card. I think that trojan was the thing that was hijacking my gmail for spamming people. I deleted that account, and I thought I got it with Malwarebytes.

Guess I was wrong, huh?
Kinda

Malwarebytes is also effective, like any other antispyware or Antivirus, they depend on the signature for them to recognize that file is malicious. So update your protection always.
Quote:
Anyway, again, thank you for being so speedy.

OK, I submitted [4]-Submit_2009-06-29_01.07.28 with this topic's address
.Thank you for the submission.

continuation...
-------------------------------------------------------------------------
Copy and paste the following text into Notepad:

Quote:
REGEDIT4

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\drivers\\svchost.exe"=-
Save this as "fixme.reg" . Choose to save as *all files and place it on your Desktop. It looks like this
Double-click fixme.reg
-------------------------------------------------------------------------

Please download SystemLook from one of the links below and save it to your Desktop.
Download Mirror #1
Download Mirror #2
  • Double-click SystemLook.exe to run it.
  • Copy the content of the following codebox into the main textfield:
    Code:
    :filefind
*QQ.exe*
*QQexternal.exe*
*QQGame.exe*
*QQPetDazzle.exe*
*svchost.exe*
  • Click the Look button to start the scan.
  • When finished, a notepad window will open with the results of the scan. Please post this log in your next reply.
Note: The log can also be found at on your Desktop entitled SystemLook.txt

-------------------------------------------------------------------------

Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

P2P program ( Perils of P2P File Sharing )

µTorrent
LimeWire PRO 4.16.6

Outdated java runtimes: (Older versions have vulnerabilities that malicious sites can use to exploit and infect your system)

J2SE Runtime Environment 5.0 Update 5

After you uninstall you outdated java, please download the Java(TM) 6 Update 14 here. Install it.

------------------------------------------------------------------------
I didn't see any antivirus installed, any reasons why? This is an open invitation for infection.

It can take as little as eight seconds to infect an unprotected computer.

Install this FREE AntiVirus program, update it, and run a full system scan.

Avira AntiVir Personal

When the scan is complete, click on the Report button. A log file will open. Save it in your desktop as Avira.txt. Please attach it in your next reply.

Do not install more than one antivirus program because they will conflict with each other. It is imperative that you update your antivirus software at least once a week (even more if you wish). If you do not update your antivirus software then it will not be able to catch new malware that may have come
out.


In your reply, please post


Systemlook.txt
Avira.txt <--attached


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
Last edited by mas_pogi; 06-29-2009 at 09:53 AM.
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-29-2009, 05:17 PM   #7 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 5
OS: XP


Re: Overclick.cn Spyware
Alright, here's the SystemLook log:

SystemLook v1.0 by jpshortstuff (22.05.09)
Log created at 17:45 on 29/06/2009 by Compaq_Owner (Administrator - Elevation successful)

========== filefind ==========

Searching for "*QQ.exe*"
No files found.

Searching for "*QQexternal.exe*"
No files found.

Searching for "*QQGame.exe*"
No files found.

Searching for "*QQPetDazzle.exe*"
No files found.

Searching for "*svchost.exe*"
C:\WINDOWS\$NtServicePackUninstall$\svchost.exe -----c 14336 bytes [22:29 18/02/2009] [04:00 04/08/2004] 8F078AE4ED187AAABC0A305146DE6716
C:\WINDOWS\ServicePackFiles\i386\svchost.exe ------ 14336 bytes [20:32 19/08/2008] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18
C:\WINDOWS\system32\svchost.exe --a--- 14336 bytes [01:53 27/03/2007] [00:12 14/04/2008] 27C6D03BCDB8CFEB96B716F3D8BE3E18

-=End Of File=-

Quote:
Please uninstall the following. Using windows ADD/REMOVE program at the control panel.

µTorrent
LimeWire PRO 4.16.6
--Oh man, really? I was afraid you were going to say that. Oh this hurts. OK. Deleting. In pace requiescat, my faithful friends.


I have uninstalled and updated my java. Next...

Quote:
I didn't see any antivirus installed, any reasons why? This is an open invitation for infection.
Um... I failed not-getting-your-computer-raped-by-trojans 101?

Honestly? I think I just figured I could handle it on my own with regular virus scans. This thing came with Norton and, ...oh, I hate Norton. I had to get rid of that stuff.

I mean, of course there isn't a good reason.

Anyway,

Systemlook.txt
Avira.txt <--attached


I really appreciate your time,

Reagan
Attached Files
File Type: txt Avira.txt (24.8 KB, 1 views)
Mechrobioticon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-29-2009, 06:24 PM   #8 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,469
OS: Vista, Linux Mint


Re: Overclick.cn Spyware
hi.

Good. I though there are more nasty going on the background -)

Quote:
Oh man, really? I was afraid you were going to say that. Oh this hurts. OK. Deleting. In pace requiescat, my faithful friends
O yeah. They are friends but they will infect you later on with virus. Choose your friends
Quote:
Um... I failed not-getting-your-computer-raped-by-trojans 101?

Honestly? I think I just figured I could handle it on my own with regular virus scans. This thing came with Norton and, ...oh, I hate Norton. I had to get rid of that stuff.

I mean, of course there isn't a good reason.
Virus is everywhere now. It is always better to have protection.

Quote:
Avira.txt <--attached
Seems you got the update log.

Anyways, let have other online scanner before we wrap this thread up. We are almost there.


Kaspersky scan

*Close any open programs
*Turn off the real time scanner of any existing antivirus program while performing the online scan. You can find the instructions You can find instructions HERE.

Please do a scan with Kaspersky Online Scanner

Note: If you are using Windows Vista, open your browser by right-clicking on its icon and select 'Run as administrator' to perform this scan.

Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Attach that information in your next post.

How's your computer now?

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-30-2009, 09:10 AM   #9 (permalink)
Registered User
 
Join Date: Jun 2009
Posts: 5
OS: XP


Re: Overclick.cn Spyware
Quote:
Seems you got the update log.
Oh damn. You're right. Sorry. Attaching the real results of the scan.

Anyway, did the Kapersky scan last night, and it found 11 infected items.

I'm attaching that report, too.

Quote:
How's your computer now?
Come to think of it, I haven't thought to check since you began helping me. Let me see...

OH WOW!

The overclick.cn redirect is GONE! NICE!

I didn't even know you had fixed anything, yet. Wow.

Okay, so anyway:

KaperskyReport.txt
Avira.txt <--attached

I think it might be worthy of note that I ran the Avira scan & fix AFTER I ran the Kapersky scan. So I guess that means the Kapersky scan isn't up-to-date.

Should I do it again?
Attached Files
File Type: txt Avira.txt (28.8 KB, 3 views)
File Type: txt KaperskyReport.txt (2.5 KB, 2 views)
Mechrobioticon is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 06-30-2009, 11:06 AM   #10 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,469
OS: Vista, Linux Mint


Re: Overclick.cn Spyware
hi.

Quote:
The overclick.cn redirect is GONE! NICE!
Good.

Kaspersky flagged file from your java cache. Let purge your java cache, follow the steps here.

Kaspersky also found files in you system restore but seem Avira already deleted it. Nevertheless, we will extinguish that System restore in my next instruction.

Other found in your Recovery Partition,

D:\I386\APPS\App07211\src\CompaqPresario_Spring06.exe
D:\I386\APPS\App07211\src\HPPavillion_Spring06.exe

are harmless.

------------------------------------------------------------------------

Congratulations! You now appear clean!

We Need to Clean Up Our Mess
  1. Uninstall ComboFix
    Remove Combofix now that we're done with it.
    • Click on your Start Menu, then Run....
    • Now copy and paste this one in the runbox. Then HIT enter.

      Code:
      ComboFix /u


    Uninstalling ComboFix will do the following:
    1. Delete ComboFix and its components from your computer.
    2. Delete other tools commonly used during the malware removal process.
    3. Resets clock settings to standard format.
    4. Re-hides file extensions and hidden/system files.
    5. Clears System Restore cache and creates new restore point.

  2. Please also delete the DDS.scr located at your desktop.
  3. Please also delete the fixme.reg located at your desktop.
-----------------------------------------------
Recommendations
Below are some recommendations to lower your chances of (re)infection.
  1. Install Spyware Blaster and update it regularly
    If you wish, the commercial version provides automatic updating.

  2. Install the MVPs hosts file, and update it regularly
    You can use the HostMan host file manager to do this automaticly if you wish.
    For more information on the hosts file, and what it can do for you, you can view the Tutorial on the Hosts file

  3. Install an Anti-Spyware program, and update it regularly
    Malware Byte's Anti Malware is an excellent Anti-Spyware scanner. It's scan times are usually under ten minutes, and has excellent detection and removal rates.
    SUPERAntiSpyware is another good scanner with high detection and removal rates.
    Both programs are free for non commercial home use but provide a resident and do not nag if you purchase the paid versions.

  4. Keep Windows (and your other Microsoft software) up to date!
    I cannot stress how important this is enough. Often holes are found in Internet Explorer or Windows itself that require patching. Sometimes these holes will allow an attacker unrestricted access to your computer.

    Visit the Microsoft Update Website and follow the on screen instructions to setup Microsoft Update. Also follow the instructions to update your system. Please REBOOT and repeat this process until there are no more updates to install!!

  5. Keep your other software up to date as well
    Software does not need to be made by Microsoft to be insecure. You can use the Secunia Online Software occasionally to help you check for out of date software on your machine.

  6. Stay up to date!
    The MOST IMPORTANT part of any security setup is keeping the software up to date. Malware writers release new variants every single day. If your software updates don't keep up, then the malware will always be one step ahead. Not a good thing :(.

Please respond to this thread one more time so we can mark this thread as resolved.

Maraming salamat.

Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 07-03-2009, 09:41 AM   #11 (permalink)
Analyst, Security Team
 
mas_pogi's Avatar
 
Join Date: Apr 2008
Location: Manila, PH
Posts: 1,469
OS: Vista, Linux Mint


Re: Overclick.cn Spyware
Since the problem appears to be resolved, it will now be archived.


Mark
__________________
To accomplish great things, we must not only act, but also dream; not only plan, but also believe.
If I have been helping you and do not reply within 24 hours, please send me a message.
 I'm a member of U.N.I.T.E and A.S.A.P
Last edited by mas_pogi; 07-03-2009 at 09:44 AM.
mas_pogi is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 05:47 AM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85